Apache Hardening - ConnorEast/Tech-Journal GitHub Wiki

Apache Hardening

To begin I went into the developer tools section of my apache site located at 10.0.17.15. I then clicked on the network tab in order to look for the Server type in my response header. Below is an image of said header

As can bee seen in the image above my server is running on "Apache/2.4.37(rocky) OpenSSL1.1.1k". It is important to note that by exposing this, you are putting your servers at risk by letting potential hackers know what versions of an attack they should try in order to access your system.

Removing Server Signatures.

On your Apache host you should go to your webservers configuration file and modify the httpd.conf file to house the following code.

ServerToken Prod.
ServerSignature Off.
Here is an image showing the code of my XXXVVVMMMLAMMA.com site made in the previous class.

Next you should restart apache by using the command _ "systemctl restart httpd" _. below is an image showing the server for my Connor.com site (XXXVVVMMMLAMMA.com) has been properly set up to no longer show the server information.

Disabling directory browser listing:

Return to your apache server and go to the subroot of "/var/www/html" inside that folder I will create a directory called test. Inside that folder I touched a hi and a hello document. After doing that I went to and edited the httpd.conf file and changed the Options section to none as seen below.
Which gave me this error upon boot up.

Disable Trace HTTP Request

Why should we remove the trace? If the trace is allowed it comes with the potentiality that a Cross Site Tracing attack may occur allowing hackers to steal cookie information. To begin lets install Telnet. You can install telnet by using the "yum -y install telnet" command.
Testing telnet

Telnet command + Scripting

To put an end to traces do the following: